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Abstract. Cryptographic primitives are fundamental for information security: they are used as 
basic components for cryptographic protocols or public-key cryptosystems. In many cases, their 
security proofs consist in showing that they are reducible to computationally hard problems. Those 
reductions can be subtle and tedious, and thus not easily checkable. On top of the proof assis- 
tant Coq, we had implemented in previous work a toolbox for writing and checking game-based 
security proofs of cryptographic primitives. In this paper we describe its extension with number- 
, theoretic capabilities so that it is now possible to write and check arithmetic-based cryptographic 

^ ' primitives in our toolbox. We illustrate our work by machine checking the game-based proofs of 

^ ^ unpredictability of the pseudo-random bit generator of Blum, Blum and Shub, and semantic secu- 

. rity of the public- key cryptographic scheme of Goldwasser and Micali. 
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1 Introduction 

Cryptographic primitives are fundamental components for information security. In many cases, 
their security proofs consist in showing that they are reducible to computationally hard prob- 
lems. Those reductions can be subtle and tedious, and thus not easily checkable. Bellare and 
^> I Rogaway even claim in ^ that: 

"many proofs in cryptography have become essentially unverifiable. Our field may be 
approaching a crisis of rigor." 

^ I As a remedy, they, and also Shoup advocate game-based security proofs. This is a method- 

Q>^ ' ology for writing proofs which makes them easier to read and check. Halevi goes further by 

■ advocating the need for a software which can deal with the mundane parts of writing and 

checking game-based proofs [ID] . 

In the game-based approach, a security property is modeled as a probabilistic program which 
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^ ' implements a game to be solved by the attacker. The attacker itself is modeled as an external 



probabilistic procedure interfaced with the game. The goal is then to prove that any attacker 
has at most a negligible advantage over a random player. An attacker is assumed to be efficient 
i.e., it is modeled as a probabilistic polynomial-time (PPT) algorithm. 

Related Work. There are tools such as ProVerif [^, CryptoVerif [S] or the prototype implementa- 
tion of [12] which can make automatic proofs of cryptographic protocols or generic cryptographic 
schemes. However those tools assume that some secure cryptographic primitives are given. The 
security of those primitives cannot be proved automatically. Nevertheless their security proofs 
can be checked by a computer. 

The game-based proof of the PRP/PRF switching lemma has been formalized in the proof 
assistant Coq Although it is not by itself a cryptographic primitive, this lemma is fundamen- 
tal in proving security of some cryptographic schemes. The proof has been made in the random 



* This paper is an extended version of [H]. 



oracle model. The machine formalization in [T] is a so-called deep embedding: games are syn- 
tactic objects; and game transformations are syntactic manipulations which can be automated 
in the language of the proof assistant. The main advantages of this approach are that one can 
prove completeness of decision procedures, if any, and get smaller proof terms. However those 
advantages are not exploited in [1] . Moreover this is at the cost of developing a huge machinery 
for syntactic manipulations. Two other deep embeddings are currently being developed [2|3j . 

Previous Work. In cryptographers' papers, the formal semantics of games is either left implicit 
or, at best, informally explained in English. It is not enough for machine formalization. In 
previous work, we have (1) proposed a formal semantics for games, (2) implemented it in 
the proof assistant Coq, and (3) used it to prove the semantic security of the ElGamal and 
Hashed ElGamal public- key cryptographic schemes [13]. Our machine formalization is a so- 
called shallow embedding: games are probability distributions (as advocated by Shoup [16J). 
Game transformations can still be automated by going through the metalanguage of the proof 
assistant. Compared to pTj, We have been very careful in making our design choices such that our 
implementation remains light. This is an important design issue in formal verification because 
formal proofs grow quickly in size when one tackles real- world use-cases. 

Our toolbox comes in two layers. The first layer extends the standard library of Coq with 
mathematical notions and their properties that are fundamental in cryptography but not avail- 
able in the standard library of Coq. This consists of a library for probability distributions, 
bitstrings, and a small library for elementary group theory. On top of this, the second layer 
consists of formal versions of security definitions and hard problems, and basic game trans- 
formations which can be composed to reduce the security of cryptographic primitives to hard 
problems. 

By using our toolbox, one is forced to exhibit all the steps in his or her game-based proof 
and thus cannot hide assumptions or make proofs by intimidation such as Trivial" or "T/ie 
reader may easily supply the details". In spite of the required level of detail, proofs remain 
human readable and human checkable. 



Our contributions. We have extended our toolbox in order to be able to deal with cryptographic 
primitives based on number theory. For that purpose we have added to the first layer a library 
of definitions and lemmas for integers modulo n. In particular we have formalized the notions of 
Legendre and Jacobi symbol, Blum primes, and their properties which are of fundamental use 
in cryptography. This is already by itself a contribution to the theorem proving communityPJ 
We have also considerably extended and generalized our library on elementary group theoryo 
Then we have used our extension to the first layer in adding to the second layer the security 
notion of unpredictability, the quadratic residuosity assumption, and number-theoretic game 
transformations . 

Finally, we have used our extensions to machine check the proof of unpredictability of the 
pseudo-random bit generator of Blum, Blum and Shub [7]. We have also machine checked the 
proof of semantic security of the public-key cryptographic scheme of Goldwasser and Micali 
[8] . Our security proofs of those two primitives are based on the intractability of the quadratic 
residuosity problem. To the best of our knowledge, this is the first time that security proofs 
of cryptographic primitives based on number theory are machine checked. This is also the first 
time that a proof of unpredictability is machine checked. None of the above mentioned related 

^ Tools such as Mathematica can deal with formal computations involving Legendre and Jacobi symbols, but 
cannot be used to make formal proofs. In particular they do not allow reasoning by induction. 

^ There are more advanced library on group theory, such as [3, but none of them are available with the version 
of Coq that we are using (8.2beta3). 
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work could be used in their current state to formalize such proofs because they are missing 
components for number theory. 

Outline. We introduce the proof assistant Coq in Sect. [2j In Sect. [3l we give formal meaning 
to games in terms of distributions. We give in Sect. [3]the number-theoretic facts that we use 
Sect. [5j In Sect. [5TT] we apply our work to the proof of unpredictability of the Blum-Blum-Shub 
generator, and in Sect. l5.2l we apply it to the proof of semantic security of the Goldwasser-Micali 
scheme. Finally, we briefly describe our implementation in Sect. [6] before concluding in Sect. [71 

2 The Coq proof assistant 

Coq is a proof assistant developed at INRIA since 19840 It is based on a kernel which takes 
a mathematical statement S and proof term p as input and check whether p is a correct proof 
of S. On top of this kernel there are: a tactic language which allows to build proof terms in an 
incremental way; and decision procedures for decidable fragments such as Presburger arithmetic 
or propositional logic. 

Coq is goal-directed. This means that if we are trying to prove that a formula Q (the goal) 
is true, and we have an already proved theorem stating that Pi &: P2 implies Q, then we can 
apply this theorem. Coq will replace the goal Q by two subgoals Pi and P2. Proofs by induction 
are also possible. We proceed this way until we finally reach goals that are either axioms or are 
true by definition. On the way, Coq builds incrementally a proof term to be checked later by 
the kernel. 

The kernel is the only critical part: if a bug outside the kernel causes a wrong proof term to 
be built, it will be rejected by the kernel. 

In order to be closer to mathematical practice, Coq also provides mechanisms for introducing 
notations, or for inferring implicit parameters and subset coercions. It also comes with a standard 
library of definitions and lemmas, for instance on elementary arithmetic, analysis or polymorphic 
lists. 

3 Games 

We denote a game by a finite probability distribution (from now on, we will abbreviate this 
term as distribution). A distribution 6 over a set S is defined as a finite multisel|l| of ordered 
pairs from 5 x M such that Yl{ap)£5P ~ symbols {| and |} as delimiters of 

mutisets not to confuse them with sets. We write p • {|(ai,pi), . . . , (a„,p„)|} for the multiset 

{\{ai,p ■ pi), . . . ,{an,p ■ Pn)W- 

For convenience, we introduce some notations (cf. Fig. [T]) for writing distributions so that 
they will look like probabilistic programs: 

— We write return a for the distribution with only the element a of probability 1. 

— We write x <^ 5; (p{x) for the distribution built by picking at random a value x according 
to the distribution 5 and then computing the distribution ip{x). 

— We write x ^ {ai, . . . , a„}; (p{x) for the distribution built by picking at random a value x 
in the set {oi, . . . , a„} and then computing the distribution (p{x). 

— We abbreviate this last case by x <— a; ^[x) when the set is a singleton {a}. 

^ 'http : //cog . inr ia . f r/ 1 

^ A multiset (a.k.a. a bag) is a generalization of a set; a member of a multiset may be member more that once. 
For example, the multisets -fll, 2, 2|} and {|1, 2|} are different; and the union of {|f , 2, 2, 3|} and fll, 4, 4|} is equal 
to fll, 1,2,2, 3, 4, 4^. 
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return a = {|(a, 1)|} ' = [J p ■ ip^a) 

X ^ {ai,...,a„}; ^ a:: ^ {|(ai, i), . . . , (a„, 

x<-a; ^ x<^{a}; 
fix) ip{x) 



Fig. 1. Notations for distributions 

y-^ ( 

^(7)"' = returns; = .^^^^ = 



Fig. 2. Monad laws 



Distributions have a monadic structure [15] and thus satisfy the monad laws (cf. Fig. [2]). 
Those laws state that our notations for distributions behave well. The first one simply states 
that the occurences of a deterministically assigned variable x can be replaced by their definition 
(constant propagation). The second one is a kind of r/-reduction. The third one allows to simplify 
nested sequences. 

We write Pr ^-P((5) j for the probability that P holds of an element picked at random in 
the distribution 6. Its value is 

E p 

(a,p)(^S s.t. P{a) 

We define a notion of indistinguishability for distributions. Security definitions, hard problems 
and game transformations will all be defined with this relation. Two distributions 6i and 62 are 
indistinguishable modulo e w.r.t. a predicate P, written 61 =f 62, iff: 

|Pr (P(<5i)) - Pr [P{62)] \ < e 

=f is reflexive and symmetric. If 61 =f 82 and 62 S^, then 61 =^^/ S3. If 61 =f 62 and 
e < e', then <5i =^ 62- We write =e instead of =f when P is the predicate on booleans such 
that P(b) holds iff b is equal to true. 

Lemma 3.1. If f : S ^ T is a bijection then, for all (/? and P, 

X <— d; _p X <— i ; 
'f{f{x)) ° '^{x) 

It is also true when f is a surjective N -to-one function. 

This kind of transformation of one game into another one is at the crux of the security proofs 
we are dealing with. 



4 Some elementary number theory 

Let n be a positive number. We write Z„ for the set of integers modulo n. The multiplicative 
group of Z„ is written Z* and consists of the subset of integers modulo n which are coprime 
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with n. An integer x G Z* is a quadratic residue modulo n iff there exists a y G Z* such that 
= X (mod n). Such a y is called a square root of x modulo n. We write for the set 
of quadratic residues modulo n, and QNR^ for its complement i.e., the set of quadratic non- 
residues modulo n. We write Z* (+1) (respectively, QNR^{+1)) for the subset of integers in Z* 
(respectively, QNR^) with Jacobi symbol equal to 1. 

The quadratic residuosity problem is the following: given an odd composite integer n, decide 
whether or not an x G Z* is a quadratic residue modulo n. 

Let n be the product of two distinct odd primes p and q. The quadratic residuosity assump- 
tion (QRA) states that the above problem is intractable. In our framework, this can be stated 
as: 

Assumption 4.1 (QRA). For every attacker A' , there exists a negligible e such that 

X ^ Z;(+l); 

h^A'{n,x); _ h ^ {true, false}; 
6^6 = qr(x); " return 6 
return b 

In the left-side game, an x is picked at random in the set Z* (+1); this x is passed with n to the 
attacker A'; the attacker returns its guess h for the quadratic residuosity (modulo n) of x; this 
guess is compared with the true quadratic residuosity (modulo n) qr(x) of x; and the result b 
of this comparison is returned. In the rigth-side game, the result is random. QRA states that 
the advantage e of any attacker over a random player is negligible. 

Note that the fact that A' is a randomized algorithm is modeled by the attacker returning 
a distribution in which b is picked. 

In the security proofs, we will need the following well-known mathematical facts (remember 
that n is the product of two distinct odd primes p and q): 

Fact I. The function which maps an x G Z* to x'^ G QR^ is a surjective four-to-one function. 

Fact II. For any y G QNR^{+1), the function which maps an x G QRn to y ■ x £ QNR^(+1) 
is a bijection. 

Fact III. \QRJ = \ QNR^{+1)\ 

Fact IV. Z* (+1) = U QNR^{+1) 

Let n be a Blum integer i.e., the product of two distinct prime numbers p and q, each 
congruent to 3 modulo 4. In this case, any x G QR^^ has a unique square root in QR^ which we 
denote by y/x and is called the principal square root of x. And we get the following additional 
facts [7]: 

Fact V. The function which maps an x G QRn to x^ G QRn is a permutation. 

Fact VI. The function which maps an x G Z*(+l) to x^ G QRn is a surjective two-to-one 
function. 



Fact VII. For all x G QRn, Vx"^ = x 
Fact VIII. For all x G Z*(+l), x G QRn ^ parity(x) = parity(\/x2) 

5 Applications 

In this section, we apply our work to the proofs of unpredictability of the Blum-Blum-Shub 
generator, and to the proof of semantic security of the Goldwasser-Micali scheme. 
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bbs(Zen £ N, seed G Z^ ) 
bbs_rec(/en, seecP) 



bbs_rec(/e7i G N,a:: G QRn) = 
match len with 



\len' + 1 => parity(a::) :: bbs_rec(Zen', a;'^) 
end 



Fig. 3. The Blum-Blum-Shub generator 



5.1 The Blum-Blum-Shub pseudorandom bit generator 

The security of many cryptographic systems depends upon a cryptographic primitive for the 
generation of unpredictable sequences of bits. They are used to generate keys, nonces or salts. 
Ideally, those sequences of bits should be random, that is, generated by successive flips of a fair 
coin. In practice, one uses a pseudorandom bit generator (PRBG) which, given a short seed, 
generates a long sequence of bits that appears random. For the purpose of simulation, one only 
requires of a PRBG that it passes certain statistical tests (cf. Chapter 3 of [H]). This is not 
enough for cryptography. A PRBG is cryptographically secure iff it passes all polynomial-time 
statistical tests: roughly speaking, no polynomial-time algorithm can distinguish between an 
output sequence of the generator and a truly random sequence. 

In [2, the Blum-Blum-Shub generator (BBS) is proved left-unpredictable (under the quadratic 
residuosity assumption). It was proved by Yao in [18j that this is equivalent to stating that BBS 
passes all polynomial-time statistical tests. It is shown in [17\ that BBS is still secure under the 
weaker assumption that n is hard to factorize. The same authors also show that, for sufficiently 
large n, more than one bit can be extracted at each iteration of the algorithm. However, in this 
paper, we stick to the original proof of [7j. 

Let n = p ■ q he a Blum integer. The BBS generator is defined by the function bbs given in 
Fig. [3] which takes as input a length and a seed, and returns a pseudorandom sequence of bits 
of the required length. 

In our framework, one can state the left-unpredictability of bbs by the following definition. 

Definition 5.1 (Left-unpredictability), bbs is left-unpredictable iff for all length len, for 
every attacker A, there exists a negligible e such that 



In the left-side game, a seed is picked at random in the set Z* ; the function bbs is then used to 
compute a pseudorandom sequence of bits [6o, • • • , hen] of length len + 1; this sequence minus 
its first bit 6o is passed to the attacker A\ the attacker returns its guess 6o for the value of the 
bit bo; this guess is compared with bo; and the result b of this comparison is returned, bbs is 
left-unpredictable if the advantage e of any attacker over a random player is negligible. 

Before proving that bbs is left-unpredictable, we show that it can be reduced to the problem 
of finding the parity of a random quadratic residue modulo n. 

Lemma 5.2. //, for every attacker A' , there exists a negligible e such that 



seed ^ Z* ; 
[bo, ■ ■ ■ ■> hen] 
bo^A{[bu. 
b^bo = bo; 



bbs(/en + 1, seed); 

hen]); 



— e 



b <— {true, false}; 
return b 



return b 



X < QRji, 

6 <S= A'{n,x); 

b ^ b = parity(Y^); 

return b 



— e 



b <— {true, false}; 
return b 
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then bbs is left-unpredictable. 

In the left-side game, x is picked at random in the set QRn', this x is passed with n to 
the attacker A'; the attacker returns its guess b for the parity of ^/x] this guess is compared 
with the true parity of ^/x■, and the result b of this comparison is returned. The above lemma 
states that if the advantage e of any attacker over a random player is negligible, then bbs is 
left-unpredictable . 

Proof (of Lemma {5^. We proceed by rewriting the left-side game of the left-unpredictability 
specification (Def. 15.1] ). 

BBSl. We unfold the definition of bbs: 

seed Z* ; 
[bo, ■ ■ ■ , bien] 
bo^A{[bi,. 
b^bo = bo; 
return b 

BBS2. Because of Fact HI we can rewrite the game as: 

X < QR^, 

[bo, . . . , ken] ^ bbs_rec(Zen + 1, x); 
bo <= M[bi,- ■ ■,bien\); 
b^ bo = bo; 
return b 

BBSS. X is a quadratic residue, we can thus replace x with (according to Fact IVlI|) . 

X < QRni 

[bo, hen] ^ bbs_rec(kn + 1, \^); 
bo <^= A{[bi, . . .,bien]); 
b^bo = bo; 
return b 

BBS4. Because of Fact El we can rewrite the game as: 

X < QRj^, 

{[bo, hen]) ^ bbs_rec(/en + 1, V^); 
bo ^ A{[bi, . . .,bien]); 
h^bo = bo; 
return b 

BBSS. By unfolding one step of bbs_rec, we get: 

X < QRni 

[bi,.. .,hen] bbs_rec(/e?7.,x); 

bo A{[bi, . . .,hen])\ 

b^bo = parity(^); 
return b 



^ bbs_rec(kn -|- 1, seed"^); 
■ ■ ■ , hen])', 
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BBS6. We have reduced the game to the left-side one of the hypothesis where the attacker 
A'{n,x) is instantiated by: 

[61, . . .,bien\ ^ bbs_rec(/en,x); 
bo <= A{[bi, . . .,bien]y, 
return bo □ 

Using the above lemma, we can now prove that bbs is left-unpredictable. 

Theorem 5.3. bbs is left-unpredictable (under the quadratic residuosity assumption). 

Proof. By Lemma 15.21 we only need to prove that for every attacker A: 

X < QRni 

b^A{n,x); _ b {true, false}; 

b^b = parity(Va;); " return b 
return b 

We proceed by rewriting the left-side game. 
BBS7. Because of Fact IVH we can rewrite the game as: 

x<^Z*(+l); 

b <S= A{n,x'^); 

b <— b = parity(A/x2); 

return b 

BBSS. By Fact IVIlH we can replace the equality test b = parity(\/ir2) by 6©parity(x)©l = qr(x) 
(where © is the notation for the exclusive-or XOR). 

6 <^ A{n,x^); 

6^6© parity(a;) © 1 = qr(x); 
return b 

BBS9. We have reduced the game to the left-sided one of QRA (Assumption 14. ip where the 
attacker A'{n,x) is instantiated by: 

6 <s= A{n,x'^); 

return b © parity(x) © 1 □ 
5.2 The Goldwasser-Micali public-key cryptographic scheme 

The Goldwasser-Micali public-key cryptographic scheme (GM) was the first probabilistic one 
which was provably secure. More precisely it is semantically secure under the quadratic residu- 
osity assumption [8j. For defining GM, we need a number n which is the product of two distinct 
prime numbers p and q, and a y G QNR^{+1). It is then defined by the three functions given in 

Fig. m where denotes the Legendre symbol of c. 

In our framework, one can state the semantic security of the above scheme by the following 
definition. 
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keygenO = 
pk ^ {n,y); 
sk ^ {p,q)- 
return (pk, sk) 



encrypt((n,y) e Z x Z*,6 G {0, 1}) = 

c <— (if 6 = 1 then y ■ else x'^)\ 
return c 



decrypt((p,g) e Z x Z,c £ Zl) 




m ^ (if e = 1 then else 1); 



return m 



Fig. 4. The Goldwasser-Micali scheme 



Definition 5.4. GM is semantically secure iff, for every attacker {Ai,A2), there exists a neg- 
ligible e such that 

{pk, sk) <= keygen(); 

(mi,m2) <= Ai{pk); 



In the left-side game, a pair {pk, sk) of public and secret keys is generated; the public key pk 
is passed to the attacker Ai which returns two messages mi and m2; one of them is picked at 
random and encrypted with the secret key sk; the obtained cyphertext c is then passed with 
the public key pk and the pair of picked messages (mi, 7712) to the attacker A2; the attacker 
returns its guess for the picked message; whether the attacker is right or not is returned as a 
result. A scheme is semantically secure if the advantage e of any attacker over a random player 
is negligible. 

Theorem 5.5. The scheme of Goldwasser and Micali is semantically secure (under the quadratic 
residuosity assumption) . 

Proof. We proceed by rewriting the left-side game of the semantic-security specification (Def. l5.4T) . 
GMl. We unfold definitions of keygen and encrypt: 



i " {1,2}; 
c <^ encrypt(pA;, rrii); 
T<^ A2{pk, (ml, m2), c); 
return 'i = i 



e 



b <— {true, false}; 
return b 



(mi,m2) <S= Ai{n,y); 
i^{l,2}; 




A2{{n, y), (mi, m2), if = 1 then y ■ x 
return 'i = i 



^ else x^); 



GM2. Because of Fact U we can rewrite the game as: 



{mi, 1712) <^= Ai{n,y); 

i<^{l,2}; 

X < QR^, 

T-^ A2{{n, y), (mi, m2), if m^ = 1 then y ■ x else x); 
return T= i 
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GM3. Because of Fact HIl we can rewrite the game as: 



{mi, 1112) <^= Ai{n,y); 

i<^{l,2}; 

X < QR^, 

z ^ QNR^{+1); 

T <^ A2{{n, y), (nil, 1112), if mi = 1 then z else x); 
return T = i 



Note that this transformation is only vahd because the result of the game does not 
depend on the relation between y ■ x and x. Indeed, if mj = 1 then only y ■ x is used 
while X can be ignored, and vice versa. 

Now we consider the different cases for the messages rrii and 7712 chosen by the attacker. 

(i) (mi,m2) = (0,0): 

GM4. We can rewrite the game as: 

X < QRni 

z ^ QNR^i+l); 
?^^2((n,y),(0,0),x); 

i^{l,2}; 
return ?= i 

i can be picked randomly after the calls to the attacker. Therefore T does not 
depend on i. Our goal is proved. 

(ii) (nil, 7712) = (1, 1): This is similar to the previous case except that A2 is given z instead of 

X. 

(iii) (mi,m2) = (0, 1): 

GM5. We can rewrite the game G]V(3]as: 

i^{l,2}; 
if z = 1 then 

X < QR^, 

A2{{n,y),{Q,l),x); 
return T = z 
else 

z ^ QNR^i+l); 
i^A2{{n,y),{0,l),z); 
return T = i 
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GM6. By definition of qr, we can rewrite the game as: 

if i = 1 then 

X < QR^, 

A2iin,y),{0,l),x); 
6^?= 1; 
return b = qr(x) 
else 

z ^ QNR^i+l); 

A2((n,y),(0,l),z); 
6^?= 1; 
return b = qr(z) 

GMT. Because of Fact 1111} we can rewrite the game as: 

QR^U QNR^i+l); 
?^ A2{{n,y),{0,l),xy, 
h^i = 1; 
return b = qr(x) 

GM8. Because of Fact we can rewrite the game as: 

x^Zli+l)- 

?^ A2((n,y),(0,l),x); 

6 1; 

return b = qr(x) 

GM9. We have reduced the game to the left-side one of QRA (Assumption I4.1|) where 
the attacker A'{n,x) is instantiated by: 

?^ ^2((f^,y),(0,l),x); 
b^l= 1; 
return b 

(iv) (mi, 7712) = (1,0): This case is similar to the previous one. □ 
6 Implementation 

We have extended our toolbox with a module which contains number-theoretic lemmas on 
Legendre and Jacobi symbols, and on Blum integers. Based on those lemmas, we have proved 
arithmetic-based game transformations in the module dedicated to transformations. We have 
added the definition of unpredictability and the quadratic residuosity assumption in the appro- 
priate modules. We have then used those extensions to make the formal security proofs of the 
Blum-Blum-Shub generator and the Goldwasser-Micali scheme. 
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Future work. Two standard mathematical results remain to be proved in the proof assistant 
Coq. The first one is Fermat's little theorem. Although there are proofs of this theorem in 
the contributions of Coq, they are not compatible with its standard library. The second one is 
the fact that if p is a prime number then the group Z* is cyclic. Although those theorems are 
orthogonal to our work, it would be nice to have them machine checked, if only for the sake of 
completeness. For the moment, we have added them as axioms. 

We neither compute exact nor asymptotic running time. This is orthogonal to the verification 
of game transformations. In the examples we dealt with, the algorithm A' we built from the 
attacker A at the end of Lemma 15.21 Theorem 15.31 and Theorem 15.51 are trivially PPT and thus 
valid attackers. However this is not checked by the current implementation. 

7 Conclusions 

We have extended our toolbox with number-theoretic capabilities. It is thus now possible to 
use this toolbox for machine-checking game-based proofs of arithmetic-based cryptographic 
primitives. We have shown usability of our implementation by applying it to the proof of 
unpredictability of the Blum-Blum-Shub generator and the proof of semantic security of the 
Goldwasser-Micali scheme. This is the first time that a proof of unpredictability is machine 
checked. Machine formalization has forced us to make clear all details in those proofs that are 
usually either left to the reader or roughly explained in English. In spite of this level of details, 
we claim that our proofs remain human readable and are mechanically human checkable without 
appealing too much to intuition. 
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